CN107276878A - In a network environment using local policy application enter to rack email message scan - Google Patents

Abstract

It is a kind of to be used to include to the method for email message application strategy：The message meta-data of email message is received by the bound policy module in protected network.This method also includes：Based on the message meta-data, it is determined that receiving whether the email message is forbidden by least one metadata strategy in protected network.This method also includes：If receiving the email message in protected network by metadata strategy to be forbidden, prevent the email message being forwarded to protected network.In certain embodiments, this method includes：If receiving the email message in protected network by one or more metadata strategies not forbidden, scanning result data of the request for the email message.In a further embodiment, this method includes：If receiving the email message in protected network by one or more scanning strategies not forbidden, scanning result data are received, and ask the email message.

Description

In a network environment using local policy application enter to rack email message scan

The application is the Chinese patent title of the same name for the Application No. 201380004584.3 submitted on July 15th, 2013 Divisional application.

Related application

The application is according to 35U.S.C. § 119 (e), it is desirable to enjoyed by Nicholas Liebmann et al. in July, 2012 " MECHANISM FOR CLOUD EMAIL SCANNING WITH GATEWAY POLICY submit, entitled on the 16th The rights and interests of APPLICATION " U.S. Provisional Application No.61/672,222 priority.

Technical field

Put it briefly, the present invention relates to information security field, more specifically to using local plan in a network environment Slightly using email message scanning of entering to rack.

Background technology

Network safety filed today society become more and more important.Internet realizes different computers all over the world The interconnection of network.Specifically, internet, which is provided, is used to, by various types of client devices, be connected to different meters The medium of Email (email) is exchanged between the different user of calculation machine network.Although email use changes enterprise and individual People is communicated, but it is also used into for obtaining the unauthorized visit for computer and computer network by malicious operation person simultaneously Ask, and sensitive information the medium intentionally or accidentally revealed.

The Malware (" malware ") of infection main frame is able to carry out any number of malicious action, for example, from the main frame Spam or the Email of malice are sent out, from the enterprise associated with the main frame or personal theft of sensitive information, is passed Broadcast to other main frames, and/or help distributed denial of service attack, for example.Some organizations are usually using certain species The email protection equipment of type filters potentially harmful mail, protects their computer network to be threatened from inbound mail. Cloud service can provide inbound mail filtering (for example, spam, Malware), help to save the bandwidth of network.But, lead to Outbound mail is often monitored using other mechanism, to prevent the loss of sensitive information or confidential information.Therefore, in order to protect meter Calculation machine and computer network are from the malice carried out by inbound and outbound mail and utilization unintentionally, however it remains significant pipe Reason challenge.

Brief description of the drawings

In order to provide the more complete understanding of the present invention and its feature and advantage, following retouch can be referred to reference to accompanying drawing State, wherein identical reference represents identical part, wherein：

Fig. 1 be according to one embodiment of present invention, for enter to rack in a network environment email message scanning and The simplified block diagram of the communication system of local policy application；

Fig. 2 is shown according to one embodiment, associated with email threat sensor and Email Policies equipment Potential operation simplification interaction figure；

Fig. 3 is shown according to one embodiment, the simplified flowchart of the potential operation associated with communication system；

Fig. 4 A and Fig. 4 B are shown according to one embodiment, for showing the other potential operations associated with communication system Simplified flowchart；

Fig. 5 is shown according to one embodiment, the block diagram for the exemplary computer system being arranged with point-to-point configuration；

Fig. 6 is the block diagram for showing the example processor kernel according to one embodiment.

Embodiment

Exemplary embodiment

Fig. 1 is the communication system applied for enter to rack in a network environment email message scanning and local policy 100 simplified block diagram.The electricity in email threat sensor 130 and protected network 114 in cloud electronic mail network 113 Sub- Message Policy equipment 140 can provide the scanning of cloud email message and local policy application respectively.In addition, Fig. 1 is also provided External client 120, the mail server 155 in protected network 114 and internal client 150 in external network 112, And internet 110.Internet 110 contributes to the net of external network 112, cloud electronic mail network 113 and protected network 114 Network service between network node, it includes email-message exchange.Email threat sensor 130 can include processing Device 131, memory cell 132, cloud scan module 133 and communication module 134.Email Policies equipment 140 can include place Manage device 141, memory cell 142, inbound mail policy module 143, outbound Message Policy module 144, local scan module 145 With user interface 146.In addition, additionally providing in Fig. 1 for report and/or message queue 147, configuration data database 148 With the memory cell of the message 149 of isolation.These memory cell can be integrated with Email Policies equipment 140, Electronic access can be carried out by Email Policies equipment 140.

Fig. 1 module can by using any appropriate connection (wired or wireless) one or more interfaces, come that This is mutually coupled, and wherein these are connected as network service and provide feasible approach.Furthermore it is possible to based on specific configuration needs, it is right Any one or more in Fig. 1 these units are combined, or are deleted appointing in these units from the architecture What is one or more.Communication system 100 can include：Can transmission control protocol/Internet protocol (TCP/IP) communication, so as to Transmit or receive in a network the configuration of packet.In addition, communication system 100 can be combined with UDP/IP Or any other appropriate agreement (as needed and based on specific demand) is operated (UDP/IP).

In the exemplary embodiment, communication system 100 realizes the cloud scanning of email message and in protected network Local policy application, to be prevented email message, isolated, allowed or to be re-routed.In one example, From external client 120 to the email message of the expection recipient in protected network 114, cloud electronics postal can be routed to Email threat sensor 130 in part network 113.Email threat sensor 130 can be for threatening to the electronics Email message is scanned, and is communicated with Email Policies equipment 140.Email Policies equipment can be to message element number According to applying local policy, scanning result data are to determine whether to prevent the email message to reach protected network.Such as Fruit metadata and scanning strategy simultaneously are not prohibited by receiving the email message in protected network, then Email Policies equipment 140 can receive the email message, the content forbidden by local scanning strategy can be directed to, to the email message It is scanned, and correspondingly the email message is prevented, allowed, isolated or re-routed.

For the ease of showing some example techniques of communication system 100, it is important that understand that these communications can be passed through Network environment.Following essential information can be regarded as suitably explaining the basis of present disclosure.

Threat from inbound and outbound email may upset computer network, cause unstable and/or dangerous System.For example, inbound e-mail can be included, generated, calling, in response to Malware or related to Malware Connection, wherein the Malware may be infected receive client and/or main frame, and are potentially broadcast to other in computer network NE and client.As used in this application, ' threat ' includes Malware (malware), and it is typically to be used to retouch State and be designed to participate in hostile act on computers and/or the broad terms of unnecessary behavior, generally include to be designed to The normal operating of interference calculation machine or network, obtain unauthorized access, and/or destruction for computer system, leakage or Person changes any software of data.The example of Malware can include, but are not limited to：Virus, spam software, phishing swindleness Deceive, refuse service (DOS) attack, directory harvest, Botnet, spyware, advertisement, wooden horse and worm.May be used also in addition, threatening With including：Do not follow the Email of network strategy, and/or comprising sensitive information and/or confidential information, but uncommitted transmission The Email of the information.

In order to prevent the threat from inbound e-mail to protected network, the gateway of internet can be being gone to, Arranging electronic mail protection equipment in protected network, or can also place elsewhere to receive inbound e-mail.Electronics Mail protection equipment can provide the virus scan for Email, filter out comprising Malware or other undesirable The Email of content (for example, vulgar language, obscene goods etc.), or other Emails for being generated from Malware or Person's other Emails associated with Malware.In this scenario, being received in protected network has the protected net Each envelope Email of destination address in network, to be scanned to it.Generally, scan for malware is related to enters to message Row is decomposed and scanned.Therefore, the massive band width of the possible consumption network of Email.If in addition, network receives all electronics postals Part is scanned to them, it may not be possible to prevent Denial of Service attack.

For protecting network from another technology of the threat of inbound e-mail, it is related to cloud E-mail service.It is logical Often, cloud service is specified to the use of the computing resource for being transmitted as the service on network (for example, internet).It is logical Often, calculating, storage and Internet resources are provided with cloud architecture, workload is effectively transferred to cloud from local network On network.Cloud E-mail service used in specific network can include：Receive the inbound electronic for the particular network These Emails are scanned by mail for potential threat, filter the Email or bag associated with Malware Email containing other undesirable contents is (for example, based on virus scan, spam software scanning and/or other reference marks It is accurate), by the e-mail forward not filtered into the network.Correspondingly, cloud E-mail service can be with application purpose network Strategy, with Email of the bag filter containing some Malwares and/or other undesirable contents.

In order to application specific to network strategy, so as in cloud network for specific protected network come filtering electronic Email message, by the configuration provides specific to network of the protected network to cloud.In some implementations, the net of protected network Network keeper can access the cloud service, to increase and/or update their configuration specific to network.Realized other In, network manager can locally increase and/or update their configuration specific to network, then push these configurations To cloud.Cloud service is typically local position distribution, in some instances it may even be possible to which distribution is in the world.Therefore, in all cloud websites When being updated specific to the configuration of network, it may occur that delay.Therefore, some cloud E-mail service may no and identical Configuration specific to network is synchronous (when having carried out renewal to these configurations).

Although cloud E-mail service can provide threat protection to enter the inbound e-mail of given network, simultaneously The bandwidth of the network is saved, but still needs local solution to prevent confidential information or sensitive information, unappropriate Mandate in the case of leave present networks.For example, can by the device (or other appropriate NEs) of On-premise, To transmit the outbound mail for coming from the network, the wherein application can perform compliance and data loss prevention scanning.When not Same system is provided specific to the email protection of inbound and specific to outbound email protection, and these protections are generally logical Cross single user interface and carry out maintenance and management.Therefore, single user configuring, report, message queue and message isolation can be with There is provided by these multiple different systems, it causes network manager to produce heavy management role.

As summarized in Fig. 1, the communication system applied for the cloud email scanning under network environment and local policy System, can solve these problems (and other problems).In Fig. 1 communication system 100, a kind of hybrid solution makes cloud electronics The strategy of mail service and protected network is scanned to the inbound e-mail message for entering protected network, so as at this Locally assessed in network, the Email Policies equipment of the network is to the email message application strategy.Leave this The outbound e-mail message of network is filtered before the network is left at Email Policies equipment.Communication system 100 application strategies and threat detection is reported in real time, without in the position different from Email Policies equipment, (it can be The equipment of On-premise) storage user configuring.Whether the email message is received in protected network, matched somebody with somebody depending on user Put.If not needing the electronic mail message data to perform any action, Email Policies equipment can refuse the electricity Sub- email message.Specifically, before email message is sent into protected network, Email Policies equipment can be with Based on the information in message meta-data or come from the scanning result data of cloud E-mail service, to the electronics comprising threat Email message is prevented.It therefore, it can save the bandwidth of protected network.In addition, the Email plan in protected network Slightly equipment can provide centralized management, and it includes configuration, management, report and isolated.Authenticated user can pass through sole user Interface, manages the Email Policies equipment of cloud E-mail service and On-premise, and the wherein single user interface can be There is provided by Email Policies equipment.

Fig. 1 architecture is gone to, it illustrates the communication system 100 according to an exemplary embodiment.Generally, can be with Communication system 100 is realized in the network of any types or topology.Protected network 114, internet 110, cloud Email Each in network 113 and external network 112, is all represented for receiving and sending the information propagated by communication system 100 The series of points or node of the interconnected communication paths of packet.These networks provide the communication interface between node, and it can match somebody with somebody It is set to any LAN (LAN), VLAN (VLAN), wide area network (WAN), WLAN (WLAN), Metropolitan Area Network (MAN) (MAN) what, Intranet, extranet, Virtual Private Network (VPN) and contributing to communicated in a network environment is any other appropriate Architecture or system or its be combined (including wired and/or radio communication).

In the communication system 100, can according to any appropriate communication message protocol, come send and receive including packet, The Network of frame, signal, data etc..Appropriate communication message protocol can include：Such as open system interconnection (OSI) mould Type or its any growth or modification are (for example, transmission control protocol/Internet protocol (TCP/IP), User Datagram Protocol View/IP (UDP/IP)) etc many layered schemes.In addition, can also provide by the wireless of cellular network in the communication system 100 Signal communication.Appropriate interface and architecture can be provided to realize the communication with cellular network.

Packet is can be on such as packet switching network of internet 110 etc, between a source node and a destination node A data cell being route.One packet includes source network address and the purpose network address.These network address can be with It is Internet protocol (IP) address in TCP/IP messaging protocols.' data ' refer to any types as used herein the term Binary system, numeral, voice, video, text or script data or any kind of source code or object code or Person can be in electronic equipment and/or network from a point to any other with any appropriate format of another point transmission Adequate information.In addition, message, request, response and queue have a form of Network, thus they can include packet, frame, Signal, data etc..

As cited in the present application, ' protected network ' (e.g., protected network 114) is intended to mean that own network, or Network of the person under the control of specific entity or tissue, it is (and possible from inbound that the network is configured as protection It is outbound) threat of email message.Attempt to reach the logical of some of protected network node (for example, mail server) Letter, is routed through one or more NEs of the protected network (for example, gateway, fire wall, agency service first Device, safety means etc.).In one exemplary embodiment, protected network can be the node being directed in the network, using special With the dedicated network of address space (for example, Internet protocol (IP) address space).Private address space can follow network work Work group with the standard set by Documents：Y.Rekhter et al. in 2 months 1996 Request for Comment (RFC) 1918 and/or R.Hinden et al. is in the Request for Comment (RFC) 4193 in October, 2005.Additionally or alternatively, protected network can be real The address space of existing any other appropriate format, the address space allow specific entity or organize to and from this by The network service of protection network is controlled.

External network 112 can represent any other network outside protected network 114, and external network 112 can By internet 110, send email message to protected network 114 and/or receive Email from protected network 114 Message.Cloud electronic mail network 113 can be represented by internet 110, to the transmission email threat clothes of protected network 114 The computing resource of business.

Purpose for convenience of description, Fig. 1 shows that internet 110 promotes external network 112, cloud electronic mail network 113 Network service between protected network 114.But it is also possible to promote this using any other public, unprotected network A little network services.In addition, concept disclosed in the present application can be equally applicable within dedicated network (for example, Intranet), its In in such a case it is possible to provide external client and cloud Email in the dedicated network or Virtual Private Network (VPN) Service.For example, a tissue can possess the cloud E-mail service (inside its dedicated network) of their own, and in its group Possess multiple Email Policies equipment (for example, dividing by department, by building etc.) in knitting.In addition, these Email Policies Equipment can be geographically different or geographically identical in the private network.

Generally, in several realizations described above, the inbound e-mail for entering protected network 114 can be disappeared Breath, is redirected to the email threat sensor 130 of cloud electronic mail network 113.This can by such as internet 110, Or occur by the unprotected network of dedicated network (for example, Intranet of tissue) etc.Email threat sensor 130 can perform anti-virus and/or Anti-Spam scanning for the email message received, to recognize potential prestige The side of body.Communicated between Email Policies equipment 140 and email threat sensor 130, it is determined whether prevent or every From the email message, or determine whether the mail that the email message is forwarded in protected network 114 Server 155.If forwarded to the email message, internal client 150 can be used for by mail server 155 access the email message, or the email message can be sent to internal client by mail server 155 150。

In a kind of exemplary realization, email threat sensor 130 and Email Policies equipment 140 are all networks Unit, it means that cover the network equipment, server, router, switch, gateway, bridge, load balancer, processor, module Or any other appropriate equipment, component, unit or the object available for exchange information in a network environment.NE It can include helping to realize any appropriate hardware, software, component, module or the object of its operation, and for receiving, Send and/or transmit in a network environment the appropriate interface of data or information.This can include being used to allow data or information Effective exchange appropriate algorithm and communication protocol.

On the internal structure associated with communication system 100, email threat sensor 130 and Email Policies Each in equipment 140 can include memory cell (for example, memory cell 132,142), to be stored in the application The information used in the operation summarized.Each in email threat sensor 130 and Email Policies equipment 140 Information can be maintained at any appropriate memory cell (for example, random access memory as needed and specific demand (RAM), read-only storage (ROM), erasable programmable ROM (EPROM), electrically erasable ROM (EEPROM), special collection Into circuit (ASIC) etc.), software, hardware, in firmware or any other appropriate component, equipment, unit or object.This Shen Any one (for example, memory cell 132,142) in the memory please discussed should be construed as covering in broad sense Among term ' memory cell '.In addition, the information for using in the communication system 100, tracking, send or receiving, Ke Yiyong Any database, register, queue, table, cache, control list or other storage organizations are provided, it is all these can To be quoted at any reasonable time frame.In addition, any these the Save options (for example, report/elimination queue 147, matching somebody with somebody Put data database 148, the message 149 of isolation) it is additionally may included in broad terms as used in this application ' memory list Member ' among.

In some exemplary realizations, the function that the application is summarized can be by one or more Volatile medias Coding logic (for example, the instruction of the embedded logic provided in ASIC, digital signal processor (DSP), by processor or Software (it is potentially comprising object code and source code) that other similar machines are performed etc.) realize, wherein it is one or Multiple Volatile medias can include non-transitory computer-readable medium.Some in these examples, memory cell can To store the data for operation described herein.This includes that software, logic, code or processor instruction can be stored Memory cell, wherein these softwares, logic, code or processor instruction is performed described herein dynamic to realize Make.

In a kind of exemplary realization, the NE of communication system 100 is (for example, email threat sensor 130 And/or Email Policies equipment 140) can include being used to realize or for the soft of the encouragement operation that such as the application is summarized Part module is (for example, cloud scan module 133, communication module 134, inbound mail policy module 143, outbound Message Policy module 144 And/or local scan module 145).Can be based on specific configuration and/or supply requirement, in any suitable manner to these Module is appropriately combined.In the exemplary embodiment, these operations can be by realizing outside these units Hardware is performed, or is included in some other network equipment, to realize predetermined function.Furthermore, it is possible to by these modules It is implemented as software, hardware, firmware or its is any appropriately combined.In addition, these units can also include can be with other networks Unit is coordinated, to realize the software (or reciprocating software) of these operations, as the application is summarized.

In addition, each in email threat sensor 130 and Email Policies equipment 140 can include processing Device (for example, processor 131,141), the processor can perform software or certain algorithm, to perform as discussed in the present application Action.Processor can perform any kind of instruction associated with data, to realize the behaviour described in detail by the application Make.In one example, a unit or product (for example, data) can be transformed into by processor from a kind of state or things Another state or event.In another example, the action that the application is summarized can use fixed logic or programmable Logic realizes (for example, by software/computer instruction of computing device), and the module that the application is recognized can be certain species The programmable processor of type, programmable digital logic (for example, field programmable gate array (FPGA), EPROM, EEPROM) or Including Digital Logic, software, code, the ASIC of e-command or its any appropriate combination.It is described herein these Any one in potential processing unit, module and machine, should be construed as covering among broad terms ' processor '.

Outwardly and inwardly email client 120 and 150 can be：It is configured to access and manages each electronics Any system of email box.In one embodiment, outwardly and inwardly email client 120 and 150 can be configured Into the computer program or mail user agent (MUA) for being connected to each mail server.For example, Internal e-mail Client 150 may be coupled to mail server 155, to obtain email message from associated email mailbox. In one embodiment, can (they generally service into terminal for network connection with wired or wireless network node Point), outwardly and inwardly client 120 and 150 it will provide in their own network.For example, these nodes can include table Face type computer, laptop computer, mobile device, personal digital assistant, smart phone, tablet PC or other similar Equipment.

Mail server 155 can include message transport agents (MTA) NE, to use client-clothes Business device application architecture, another computer is sent to by email message from a computer.Mail server 155 can To receive email message (for example, passing through email threat sensor 130 and Email from another mail server Tactful equipment 140), the email message is sent to it and is expected recipient.' it is expected that recipient ' can be Email postal Case (for example, email mailbox 156), the latter is the email message for receiving and storing specific user or account Warehouse.Email mailbox can provide (for example, email mailbox 156) on mail server 155, can possess Receive and provided on the network node of email client (for example, internal client 150), can also be taken in the addressable mail There is provided in another memory cell of business device and reception email client.Can be by recipient's e-mail address In, the local address or user name being placed on before ' ' symbol, with recipient's e-mail address of email message come Identify the email mailbox.

External client 120 may be coupled to another mail server (not shown), wherein another postal here Part server can be provided in the protected network with external client 120.Alternatively, the mail server can be in cloud (for example, by internet) is provided in network, provided in another network that external client 120 is connected remotely to, also may be used To be integrated with external client 120.

Cloud electronic mail network 113 can include the NE of such as email threat sensor 130 etc, so as to Email threat service is provided to other networks of such as protected network 114 etc.Cloud electronic mail network 113 can be with Including other NEs, for example, one or more gateways, equipment, fire wall, server, and/or help to receive electronics Miscellaneous equipment, component, unit or the object of the real-time performance email threat service of mail.Email threat sensor 130 cloud scan module 133 can include one or more anti-viruses and/or Anti-Spam component, so as to Email Message is decomposed, and the close of operability is performed to their each part (for example, message data, annex, hyperlink etc.) Collection scanning, to recognize Malware, spam or other threats.

The communication module 134 of email threat sensor 130 can to protected network Email Policies equipment Email message information is provided, its medium cloud electronic mail network 113 provides email threat service for the protected network. For example, when the Email that email threat sensor 130 is received for the expection recipient in protected network 114 disappears During breath, communication module 134 can be as needed, and message meta-data, scanning result and electricity are provided to Email Policies equipment 140 Sub- mail message data.In addition, communication module 134 can be based on the information received from communication module 134, from Email Policies Equipment 140 receives response.Response may indicate whether to ask more data (for example, scanning result, email message number According to), or whether email message should be prevented based on strategy.

Email Policies equipment 140 can be the NE in protected network 114.In an exemplary embodiment In, Email Policies equipment 140 can be realized in protected network 114, to be connect from email threat sensor 130 Communication is received, and according to e-mail address, inbound e-mail message is forwarded to before expected recipient, the inbound is received Email message.In addition, by another mail server by outbound e-mail message be forwarded to external client it Before, Email Policies equipment 140 can also receive the outbound email from internal client by mail server 155 and disappear Breath.

User interface 146 can be provided, enter protected to allow authenticated user (for example, network manager) to be directed to The email message of network 114 or the email message gone out from protected network 114, input configuration.Show at one In example property embodiment, user interface 146 can include with graphic user interface (GUI) and appropriate input equipment (for example, key Disk, mouse, tracking ball, touch-screen etc.) console, so as to allow user input can be stored in configuration data database 148 In configuration data.

Configuration data can include the strategy based on certain message meta-data and/or scanning result.For example, configuration data can With including：For when the scanning result of email message indicates to exist virus, preventing (or permission) Email from disappearing The strategy of breath.In addition, configuration data should also include：For indicating there is certain type of Malware (its when scanning result It is not virus) when, it is allowed to the strategy of email message.

Other configurations data can include spam software thresholding and set (for example, 1-10).In this example, if it exceeds should Thresholding, then be identified as spam, and it is prevented by the email message.In a kind of exemplary scenario, user Higher door can be configured for certain form of desired Email content (for example, for advertisement of specific medicine) Limit is set, to allow to receive these email messages.In addition, configuration data can also be the hair based on email message Person's of sending (for example, domain name or specific IP address).For example, configuration data can include：For for coming from specific transmission The email message of square IP address, closes the strategy of spam scanning.

In addition, user can also configure according to strategy and take email message different actions.Exemplary action bag Include：Prevent email message from being sent to protected network, prevent email message from being sent to one in protected network The expection recipient of e-mail address, or email message is isolated.

Inbound mail policy module 143 can based on the message meta-data associated with inbound e-mail message and/or Scanning result, using the strategy for coming from configuration data database 148.In addition, inbound mail policy module 143 is also based on Policy evaluation, appropriate response is sent to email threat sensor 130.

Configuration data can also be included：For the network certain content that to be identified and/or filter (for example, image point Word/phrase, secret and/or sensitive information analyse, forbidden etc.), it is necessary to be carried out in addition to some or all email messages Scanning strategy.Local scan module 145 is configurable to：Network certain content not to be covered in being scanned for cloud, to electricity Sub- email message is scanned.For example, local scanning can include：The scanning of inbound or outbound e-mail message, to answer There is no the network specific image of application and/or text analyzing in cloud scanning (for example, for obscene goods, unacceptable Image, word or phrase etc.).In addition, local scanning can also include：It is scanned, so as to tactful via e-mail The sensitive information and confidential information of equipment 140 are identified and potentially filtered.

In addition, Email Policies equipment 140 can also be saved for reporting and certain information of indicative purpose.It can use The message meta-data and/or information of the reason for what email message and prevention etc is such as prevented, to propagate report Announcement/message queue 147.Therefore, user can be with (or local) report of access needle to the On-premise of email message problem Accuse.The message 149 of isolation can be included：Prevented to be forwarded to they in protected network 114 by Email Policies equipment 140 The message data of the email message of destination address.

Although the message 149 of report/message queue 147, configuration data database 148 and isolation is expressed as in Fig. 1 Single memory cell, but this is only intended to illustration purpose.In any appropriate configuration, these memory cell can be carried out Combination is separated.In addition, these memory cell can be integrated with Email Policies equipment 140, it can also be distributed In protected network 114, or it is distributed in another network that can be accessed by Email Policies equipment 140.

Fig. 2 is gone to, the figure shows external client 120, email threat sensing according to an exemplary embodiment The interaction figure 200 of potential network communication between device 130, Email Policies equipment 140 and mail server 155.Show at this Example sexual intercourse it is mutual in, external client 120 be sent to the email message of mail server 155 source (or ' send client End '), wherein mail server 155 is the destination (or ' Receiving Host ') of the email message, and possesses mailbox 156.In this example, email mailbox 156 is the expection recipient of the email message.The email message of transmission There can be the form of packet, wherein these packets take with the transmission main frame associated with external client 120 or mail Be engaged in device source IP address, and the mail server 155 in protected network 114 purpose IP address.

202, external client 120 sends email message, wherein recipient's electricity to recipient's e-mail address Sub- addresses of items of mail mark possesses email mailbox 156 on the mail server 155 in protected network 114.The electronics postal The mail that part message is routed in cloud electronic mail network 113 threatens sensor 130., can be with a kind of exemplary realization (MX) record is exchanged using the mail of domain name system (DNS), email message is route.One or more MX of domain name Record can be specified：How the email message to be route in Simple Mail Transfer protocol (SMTP).SMTP is to use In the internet standard protocol that mail transfer is carried out among Internet protocol network.In this scenario, cloud Email Network 113 is configurable to provide email threat service to protected network 114, and therefore reception enters protected network 114 all inbound e-mail messages.

204, email threat sensor 130 uses appropriate email protocol, initiates and Email Policies The network connection of equipment 140.In one exemplary embodiment, SMTP can be used.In J.Klensin et al. in 2005 10 In the Request for Comment (RFC) 5321 of the moon, SMTP is updated, it includes SMTP (ESMTP) increases of extension.

In an exemplary realization, at 206, Email Policies equipment 140 can receive the network connection, by it Whether support is reported in crowd for the customized extension of smtp protocol.Customized extension is configurable to：Email threat is allowed to pass Sensor 130 transmits the other information on email message (for example, message meta-data, sweeping to Email Policies equipment 140 Retouch result data).In one embodiment, ESMTP orders are special, and are being carried out from email threat sensor 130 To Email Policies equipment 140 encryption connection when, advertisement is carried out by Email Policies equipment 140.In other embodiments In, any other appropriate agreement can be used to realize email threat sensor 130 and Email Policies equipment 140 Between other information communication.In a specific example, related RFC at least some parts, Ke Yishi can be ignored Show non-standard command/agreement in SMTP sessions to realize that these communicate.

Once network connection is established between email threat sensor 130 and Email Policies equipment 140, and And assume to support customized extension or other appropriate agreements, at 208, email threat sensor 130 just can be to electricity Sub- Message Policy equipment 140 sends message meta-data.Message meta-data can include, but are not limited to：Disappear for the Email The connection of breath and/or protocol information.Link information can include：Main frame is sent (for example, corresponding with external client 120 Mail server) IP address and send main frame domain.Protocol information can include standard SMTP information (for example, sender and Recipient's information).Specifically, protocol information can include sender's e-mail address or domain name, and they can be with this The actual transmission main frame of email message is differed.In addition, protocol information can also include recipient's e-mail address or Person domain.If expection recipient (email mailbox) is not present in protected network, reality can be used the information to Now email message is prevented to be forwarded to protected network 114.

210, the message meta-data and metadata strategy that 140 pairs of Email Policies equipment is received are estimated.Comment Estimating message meta-data can include：Read and explain the metadata.Furthermore, it is possible to (for example, coming from configuration data database 148) metadata strategy is estimated, to determine whether that received message meta-data applies any strategy.Can be based on institute The message meta-data of reception, it is determined that receiving the email message in protected network 114 (for example, by inbound mail plan Omit module 143) whether forbidden by metadata strategy.These strategies can be by authenticated user in Email Policies equipment 140 User interface in configured.For example, these strategies can be stored in configuration data database 148.Email Policies Equipment can be On-premise, local device or other NEs, and the equipment can be easily accessed by authenticated user.

According to the content of metadata and applicable strategy, different actions can be taken.Preventing email message is A kind of example for the possible action that can be taken.Prevention can be taken to act, to prevent email message from entering protected net Network.When by the email message from another forwarded to any node in the protected network when, just entered Enter the protected network.If a strategy, which is forbidden receiving in protected network, has specific message meta-data (for example, special Fixed source IP address or source domain) email message (or enter), then this prevention can be taken to act.

Another example that isolation is a kind of possible action that can be taken is carried out to email message.In the situation Under, the strategy can permit protected network and receive the email message (for example, at Email Policies equipment 140), But forbid the email message being forwarded to the expection recipient of protected network, as the application is further described.Every From can include：Email message (for example, being stored in the message 149 of isolation) is preserved, prevents the email message from turning It is dealt into expected recipient.In addition, based on local scanning result, the email message is received in protected network, and (it enters Enter) after, prevention can also be taken to act, as the application is further described.

Numerous different strategy configurations can be used for being based on message meta-data, manage email message.A kind of possible Configuration in, a strategy, which can be positively identified, specific to be sent OC NCV ambda, sends host domain name, sender's electronics Addresses of items of mail and/or the sender's domain name that prevented, allowed or be isolated.In alternatively possible configuration, it can make Determine which domain prevented with pattern match.If for example, send main frame IP address inquiry return XYZ.com, can To prevent * .XYZ.com.In another arrangement, a strategy can be included：When recipient's (or mesh of email message Ground) mail user name in protected network 114 be not present when, prevention email message is forwarded to protected network 114 rule.These exemplary configurations are for illustration purposes only, and it is not intended to limit：For based on message meta-data come pipe Manage numerous configuration possibilitys of email message.In addition, if the message meta-data based on email message, determines the electricity Sub- email message is forbidden by strategy, then the prevention and/or isolation action and any relevant information record can reported/disappeared Cease in queue 147.

212, Email Policies equipment 140 can be and any relevant based on its assessment for message meta-data Metadata strategy application, to email threat sensor 130 send respond.In one embodiment, the response can be with It is the code for indicating whether to send the more information associated with the email message to Email Policies equipment 140.Cause This, if based on the specific metadata of the email message, is configured as preventing the email message without any strategy, Then the answer code can represent the request for more data.More data can include the scanning result of the email message Data (for example, anti-virus and/or anti-rubbish scanning result data).But, if being configured with the tool based on email message Voxel data forbids the strategy of the email message, then the answer code can be represented not to Email Policies equipment 140 Send the request of the other data associated with the email message.Therefore, in this scenario, can be from protected network Effectively prevent the email message.

214, email threat sensor 130 determines that the response indicates whether the request for more data.If It is not representing the request for more data, then 236, and email threat sensor 130 can be to the outside objective of transmission Family end 120 sends email message status, and the wherein state instruction is not transmitted to the expection recipient of the email message The email message.But, if the response is the request for more data, 216, the Email can be disappeared Breath is scanned (for example, anti-virus scan, Anti-Spam are scanned).In one embodiment, cloud scan module 133 can be held These scan operations of row.Scanning can be the intensive action of the process resource using email threat sensor 130, and it is offseted Breath is decomposed, and scanning is performed to the message data in the email message, annex and/or hyperlink.

218, email threat sensor 130 can send to Email Policies server 140 and be directed to the electronics The scanning result data of email message.220, Email Policies equipment 140 assesses the scanning result of the email message Data and scanning strategy.Assessing scanning result data can include：Scanning result data are read out and parsed.In addition, can To be estimated to (for example, coming from configuration data database 148) scanning strategy, to determine whether received scanning Result data applies any strategy.Specifically, can be based on the scanning result data received, it is determined that in protected network The whether scanned strategy of the email message (for example, by inbound mail policy module 143) is received in 114 to forbid.These plans It can slightly be configured in user interface of the authenticated user in Email Policies equipment 140.Due to electronics can be passed through The user interface 146 of Message Policy equipment 140 maintains configuration data database 148, therefore for configuration data database 148 Renewal, can be had access in real time by Email Policies equipment 140 immediately.

There are numerous different configurations and action (for example, prevent, isolate, allowing rerouting etc.), can be used for based on electricity Sub- email message scanning result data and scanning strategy, to manage email message.For the rubbish postal in protected network Part and/or virus communication, different entities can have different tolerance thresholdings.Given network can be with another network Compare, set with the more high threshold for receiving SPAM.Given network can have following strategy：Forbid Any node in present networks is received with the viral any email message recognized.Under another network can have The strategy in face：For example, when for commercial object, it is necessary to have during the viral email message recognized, it is allowed to receive this Plant viral email message.In other configurations, given network can have following strategy：Forbid having and recognized The email message of viral (or spam) is sent to the predetermined e-mail address in present networks, but still can be used for The email message is received in certain form of safety means (for example, Email Policies equipment 140) in the network, To be isolated to it (for example, being isolated in the message 149 of isolation).

In another example, given network can allow specific e-mail advertisement, and the latter can be with the network Associated business is relevant.If email threat sensor 130 is generally in the scanning of its Anti-Spam, by these electronics Email advertisement is identified as spam, then strategy can be configured (for example, passing through at Email Policies equipment 140 User interface 146), to allow this certain types of e-mail advertisement.Threshold number can be set, to indicate a postal Part is identified as spam.If network has the higher tolerance for receiving spam, more high threshold number can be set Amount.Furthermore, it is possible to according to user, user's group or network, be configured to spam tolerance thresholding.Additionally or substitute Ground, can set this configuration based on sender's (for example, domain name of specific e-mail address) of email message.Phase Ying Di, can be directed to specific trusted domain, Spam filtering is closed.It therefore, it can in a network, to for entering Stand and the network certain logic of outbound e-mail message is controlled, without being pushed to cloud clothes dependent on by configuration data Business.

If based on the scanning result data of email message, determine that a strategy is hindered the email message Only or isolation, then can by the prevention or isolation action and any relevant information record in such as report/message queue 147 In.These exemplary configurations are for illustration purposes only, and it is not intended to limit：For managing electronics based on scanning result data Numerous configuration possibilitys of email message.

222, Email Policies equipment 140 can be based on its assessment for scanning result data, and any has The application of the scanning strategy of pass, sends to email threat sensor 130 and responds.In one embodiment, the response can be with It is the code for indicating whether to send the email message to Email Policies equipment 140.Therefore, if based on the electronics postal The specific scanning result data of part message, are configured as preventing to receive the electronics in protected network 114 without any strategy Email message, then the answer code can represent the request for the email message.When strategy is forbidden disappearing the Email Breath is transmitted to its recipient's e-mail address, but allows protected network (for example, Email Policies equipment 140) reception should Email message, during for other processing and/or isolation purpose, can also send asking for the email message Ask.But, if based on the specific scanning result of the email message, a strategy is configured as preventing in protected network The email message is received in 114, then the answer code can represent not send and the electronics to Email Policies equipment 140 The request of the associated other data of email message.Therefore, in this scenario, can effectively be prevented from protected network should Email message.

224, email threat sensor 130 determines that the response indicates whether asking for the email message Ask.If it is not representing the request for the email message, 236, email threat sensor 130 can be to The external client 120 of transmission sends email message status, and wherein the state instruction is not to the pre- of the email message Phase recipient transmits the email message.But, if the response is the request for the email message, 226, Email threat sensor 130 can forward the email message to Email Policies server 140.

228, Email Policies equipment 140 can perform other processing to the email message.In a reality Apply in example, network do not allow in the specific protected network and that cloud scanning is not required to be filtered can be directed to special Determine content, perform other scanning.For example, given network may not allow certain form of image (for example, obscene image) Or some words or phrase (for example, profanity).If email threat sensor 130 is in its anti-virus and/or anti-rubbish These are not recognized in mail scanning, then local scanning strategy can be configured at Email Policies equipment 140 (for example, by user interface 146), and applied to the email message received from email threat sensor 130.May be used also To perform scanning for confidential information or sensitive information, to control the reception of the information (for example, by inbound electronic postal Part message) and the information distribution (for example, by outbound e-mail message).

At Email Policies equipment 140, prevention or isolation action can be taken email message.The action Local scanning result (if any) can be depended on and depending on the previous evaluation of message meta-data and scanning result data If (at 210 and/or 220, the strategy of application is indicated if should isolating to the email message).Prevention is acted It can prevent that the email message is sent into it is expected recipient.Isolation action can be by the way that email message be preserved In the message 149 of isolation, the email message is isolated.In another implementation, the Email can be disappeared Breath is rerouted to another position, such as use in other analysis.

230, based on for the other scanning for forbidding content specific to network, determine the email message whether by Strategy is forbidden.If the email message is not forbidden (for example, not performing other scanning, or performing in addition by strategy Scanning, there is no indication that forbidding the email message), then 232, the email message can be forwarded to mail service Device 155, the latter can forward the message to email mailbox 156.

Can be by any appropriate mechanism, to determine that transmitting the Email to mail server 155 at 232 disappears Breath, wherein these mechanism can be realized based on the real needs of protected network 114.It is, for example, possible to use standard SMTP mails transmission rule.Recipient's e-mail address in email message can be used, carrys out nslookup system (DNS), various types of DNS records (for example, MX records, A records) can provide the network address of mail server 155. , can be by the route that is pre-configured with, to determine this transmission in another realization.Network manager can configure Email Tactful equipment 140, will (indicated in recipient's e-mail address) specific domain email message, be forwarded to (for example, mail server 155) the specific purpose network address.In another implementation, can by the directory service of replacement, To determine this transmission.Network manager can configure an attribute in the service of the query directory of Email Policies equipment 140 (for example, LDAP/ Active Directories), determining (for example, mail server 155) the purpose network address.

If performing other scanning at 228, and determine that one or more local scanning strategies are forbidden the electronics Email message be sent in protected network 114 its be expected recipient, then the email message can be prevented or Person isolates.234, Email Policies equipment 140 sends to email threat sensor 130 and responded, and the wherein response refers to Show and the email message prevent or isolated.236, email threat sensor 130 can be to transmission Square external client 120 is sent for indicating that the email message is not sent into its state for being expected recipient.

230, the previous evaluation (at 210) and scanning result of message meta-data and metadata strategy are also based on Data and scanning strategy (at 220), it is determined whether there is a strategy to need the email message to be isolated.In the scene Under, do not prevent Email Policies equipment 140 from receiving the email message, but at 230, prevention disappears the Email Breath is forwarded to mail server 155.Therefore, at 226, Email Policies equipment 140 receives the email message.The electricity Sub- email message may need other scanning, it is also possible to do not need other scanning, but whether determine previous Policy evaluation Need to isolate the email message.

If based on local scanning strategy, it is not necessary to which the email message is isolated, and also without progress Prevent, then 232, the email message can be forwarded to mail server 155, the latter can forward this information to electricity Sub- email box 156.234, Email Policies equipment 140 can be sent to email threat sensor 130 for referring to Show and the email message is sent to its response for being expected recipient.236, email threat sensor 130 can be with Sent then to sender's external client 120 for indicating that the email message is sent into its shape for being expected recipient State.

If at 230, it is determined that needing to isolate the email message, then for example by the way that the Email is disappeared Breath is stored in the message 149 of isolation, to isolate the email message.234, Email Policies equipment 140 is to electronics Mail threatens sensor 130 to send for indicating to have carried out the email message prevention or the response isolated. 236, email threat sensor 130 can be sent to sender's external client 120 for indicating the electronics postal not Part messaging is expected the state of recipient to it.

In another implementation options, network manager can configure to Email Policies equipment 140, so as to i.e. Some email messages is violated one or more of metadata strategy, scanning strategy and/or local scanning strategy, also will These email messages are sent to their expection recipient.If detected in an email message threat and/ Or the content forbidden, then the detection can be recorded, and/or notice can be sent to appropriate user or system.Class As, if the message meta-data of email message violates metadata strategy, the violation can be recorded, and/or Notice can be sent.The email message can be sent to it and be expected recipient.Alternatively, the Email can be disappeared Breath is forwarded to the purpose network address specified, further to be scanned, remotely isolates or checks.

Fig. 3 is gone to, the figure shows the possibility of flow 300 that can be associated with email threat sensor 130 behaviour The exemplary process diagram of work.In one embodiment, one or more operations of flow 300 can by scan module 133 and/or Communication module 134 is performed.

302, email threat sensor 130 is received from the expection recipient for sending client into protected network The email message of transmission.Expection recipient can be the email mailbox of the mail server in protected network. Expected recipient is identified in recipient's e-mail address of email message.Specifically, can be in recipient's electricity In sub- addresses of items of mail there is provided the local address corresponding with email mailbox (or user name) and with protected network phase Corresponding domain name.Sending client can configure outside the protected network of the mail server.

304, (for example, scan module 133) can be directed to the threat of such as Malware and spam etc, to this Email message is scanned.In this exemplary embodiment, it is connected to protected net in email threat sensor 130 Before the Email Policies equipment of network, occurs the scanning to email message (at 304).But, in other embodiments In, after certain communication that can be between email threat sensor 130 and Email Policies equipment 140, generation pair In the scanning of the email message, as the application is further described.

306, email threat sensor is set up with the Email Policies equipment in protected network and is connected.This Outside, whether Email Policies equipment it can support agreement such as the customized extension of smtp protocol etc with advertisement, To allow email threat sensor to send the other information on the email message (for example, message meta-data, scanning Result data).308, email threat sensor sends the message of the email message to Email Policies equipment Metadata.The message meta-data can include the link information and/or protocol information associated with the email message.

310, email threat sensor is received from Email Policies equipment and responded.The response can be based on answering Strategy configuration for the Email Policies equipment of message meta-data.312, determine that the response indicates whether to be directed to and the electricity The request of the associated more data of sub- email message.If the response is not the request for more data, the response refers to Show that the email message is received in protected network to be forbidden by metadata strategy.In this case, email threat is passed Sensor can send status message at 330, so as to send client notification：Disappear it is expected that recipient does not receive the Email Breath.

If the response for coming from Email Policies equipment is the request for more data, at 314, (for example, Scan module 133) email message can be scanned.The scan operation at 314 is represented：In email threat Sensor is connected to after Email Policies equipment, and is determined metadata strategy and be not prohibited by receiving in protected network After the email message, another embodiment being scanned to the email message.Therefore, never to based on The email message that the strategy of message meta-data is prevented is scanned.It therefore, it can by 314, rather than 304 Place performs scanning, to save processing.

316, email threat sensor can send scanning result data to Email Policies equipment.318, Email threat sensor is received from Email Policies equipment and responded.The response can be based on being applied to scanning result number According to Email Policies equipment strategy configuration.

320, determine that the response indicates whether the request for the email message.If the response is not directed to The request of email message, then response indicates that the scanned strategy of the email message is received in protected network to be prohibited Only.In this case, email threat sensor can send status message at 330, so as to send client notification： It is expected that recipient does not receive the email message.

If at 320, it is determined that the response for coming from Email Policies equipment is the request for email message, Then at 322, email threat sensor sends the email message to Email Policies equipment.At 324, electronics Mail threatens sensor to be received from Email Policies equipment and responded.The response can be based on being applied to the email message Other scanning strategy configuration.But, if not performing other scanning, the response can be based on to expected recipient The email message of transmission.

At 324 after Email Policies equipment receives the response, at 326, the email message is determined Whether prevented or isolated by the strategy in Email Policies equipment.If the email message is prevented from or isolated, Then email threat sensor can send status message at 330, so as to send client notification：Do not connect to expection Debit sends the email message.But, if the email message is not prevented from or isolated, at 328, electronics Mail threaten sensor can send status message, with to send client notification：The email message is sent to expection Recipient.

Fig. 4 A and Fig. 4 B are gone to, the figures illustrate flow 400 that can be associated with Email Policies equipment 140 The exemplary process diagram of possible operation.In one embodiment, one or more of flow 400 operation can be by inbound mail Policy module 143 and/or local scan module 145 are performed.

In Fig. 4 A and Fig. 4 B, flow 400 assumes the threat service in Email Policies equipment and offer cloud Email threat sensor between, establish connection (as described in detail in Fig. 2 and Fig. 3).In 402, Email Tactful equipment receives message meta-data from email threat sensor.404, the message meta-data is estimated, and Determination is made with regard to whether the email message is forbidden by the configuration of any metadata strategy.If based on the message meta-data (for example, link information, protocol information), metadata strategy forbids the email message, then at 432, can be by electronics postal Part message prevents record in report/message queue 147.Then, at 434, due to being hindered the email message Only, therefore it can be sent to email threat sensor for indicating not asking the responses of more data.

If based on message meta-data, without any metadata strategy forbid the email message (as at 404 determine ), then 406, Email Policies equipment can be sent to email threat sensor for asking and the Email The response of the associated scanning result data of message.408, Email Policies equipment can be from email threat sensor Receive the scanning result data for the email message.These scanning result data can include：From in electronics postal In part cloud network, anti-virus scan result and/or Anti-Spam to the scanning performed by the email message scan knot Really.

410, scanning result data are estimated, determine whether the email message is configured by any scanning strategy Forbidden.If based on these scanning result data, a scanning strategy forbids the email message, then at 432, can be with Email message is prevented into record in report/message queue 147.The real needs of given network can be directed to, to scanning Strategy configuration is adjusted.In some scenes, all dominant cloud scanning results (for example, being directed to virus or spam) Strategy may be scanned to forbid.However, in other scenes, some viruses or SPAM may not be prohibited. 434, forbid receiving in protected network because the email message is scanned strategy, therefore can be to email threat Sensor sends the response for not asking more data for instruction.

If based on these scanning result data, email message (such as 410 places are forbidden without any scanning strategy Determine), then 412, Email Policies equipment can be sent to email threat sensor for asking the electronics postal The response of part message.414, Email Policies equipment can receive the Email from email threat sensor and disappear Breath.

After the email message is received, at 416, it is determined whether should to the email message carry out every From.In the embodiment of flow 400, the strategy configuration of Email Policies equipment may need to based on message meta-data or Cloud scanning result data and forbidden some email messages are isolated.In this implementation, in metadata and it can sweep During retouching Policy evaluation, the email message in Email Policies equipment is recognized and is marked as to prevent and/or isolate (for example, in message 149 of isolation).Once receive the email message, then can be (for example, in report/message team In row 147) search is performed, to determine whether to be defined as the email message to be forbidden by strategy, and as needed To be marked as being isolated.

, then, can be with 426 if at 416, determining that the email message had previously been marked as being isolated For example, by the message data is stored in the message 149 of isolation, the email message is isolated., can at 432 So that the email message in such as report/message queue 147, to be recorded as to (and/or isolation) for preventing., can 434 To be sent to email threat sensor for indicating that the email message has been prevented from and/or isolated, and therefore do not have It is expected the response of recipient's reception.

If at 416, determining that the email message had previously been not flagged as being isolated, then at 418, really Whether the fixed email message needs further scanning.For example, the inbound e-mail message of transmission metadata can be directed to Assessed with cloud scanning result, for the content forbidden, configure the strategy specific to network.If the email message need into The scanning of one step, then at 420, be scanned to the email message.

At 422, local scanning result is estimated, and with regard to the email message whether by any local scanning Strategy configuration is forbidden making determination.If based on local scanning result, at least one local scanning strategy forbids the electronics Email message, then at 428, it is determined whether there is a strategy to need the email message to be isolated.If so, then 430, The email message is isolated.Regardless of whether the email message is isolated, can be by electricity at 432 Sub- email message prevents record in such as report/message queue 147.Then, 434, it can be sensed to email threat Device is sent for indicating that the email message has been prevented from and/or isolated, and is not therefore expected the sound of recipient's reception Should.

If based on local scanning result, email message (such as 422 places are forbidden without any local scanning strategy Determine), or if the email message need not further scan (as determined by 418), then 424, electricity Recipient e-mail address of the sub- Message Policy equipment in the email message, is turned to the email message Hair.Specifically, the email message can be forwarded to mail server by Email Policies equipment, and the latter is configured to Email message is received in protected network.Then, the mail server can send the email message to expection Recipient's (for example, email mailbox).436, Email Policies equipment can also be sent out to email threat sensor Send the response that the email message has been transmitted to expected recipient for instruction.

Fig. 5 shows according to one embodiment and configures the computing system 500 being arranged with point-to-point (PtP).It is specific and Speech, Fig. 5 is shown by multiple point-to-point interfaces come the system of interconnecting processor, memory and input-output apparatus.Generally, The mode identical or similar with computing system 500 can be used, to configure one in the NE in communication system 100 Or it is multiple.For example, can be described herein to configure with the mode identical or similar with exemplary computer system 500 Email threat sensor 130 and Email Policies equipment 140 in each, wherein processor 131 and 141 distinguish Corresponding with processor 574 and/or 584, memory cell 132 and 142 is relative with memory cell 532 and/or 534 respectively Should.

As shown in Figure 5, system 500 can include some processors, but for the sake of clear explanation, merely illustrate two Processor 570 and 580.Though it is shown that two processors 570 and 580, but it is to be understood that, the embodiment of system 500 is also This processor of only one can be included.Each in processor 570 and 580 can include one group of kernel (that is, in processor Core 574A and 574B and processor cores 584A and 584B), to perform multiple threads of a program.These kernels can by with It is set to：Carry out execute instruction code in the way of similar to being discussed above with reference to Fig. 1-4.Each processor 570,580 can be with Including at least one shared cache 571,581.Shared cache 571,581 can be stored by processor 570,580 The data (for example, instruction) that one or more assemblies (for example, processor cores 574 and 584) are used.

In addition, processor 570 and 580 can also include integrated memory controller logic (MC) 572 and 582, with respectively with Memory cell 532 and 534 is communicated.Memory cell 532 and/or 534 can be stored to be used by processor 570 and 580 Various data.In alternate embodiments, Memory Controller Hub logic 572 and 582 can be mutually only with processor 570 and 580 Vertical discrete logic circuit.

Processor 570 and 580 can be any kind of processor, those processors discussed for example, referring to Fig. 1. Processor 570 and 580 can use point-to-point interface circuit 578 and 588 respectively, be exchanged by point-to-point (PtP) interface 550 Data.Processing unit 570 and 580 can use point-to-point interface circuit 576,586,594 and 598, be connect respectively by point-to-point Mouth 552 and 554 exchanges data with chipset 590.In addition, chipset 590 can also use interface circuit 592, (it can be PtP interface circuit), by high performance graphics interface 539, data are exchanged with high performance graphics circuit 538.In the implementation of replacement In example, any one in the PtP links shown in Fig. 5 or whole can be implemented as the multiple spot different from PtP links Branch bus.

Chipset 590 can be communicated by interface circuit 596 with bus 520.Bus 520, which can have, passes through it The one or more equipment communicated, for example, bus bridge 518 and I/O equipment 516.Pass through bus 510, bus bridge 518 Can be with such as keyboard/mouse 512 (or other input equipments of such as touch-screen, tracking ball or the like), communication equipment 526 (for example, modem, Network Interface Unit or can be communicated by computer network 560 it is other types of logical Letter equipment), the miscellaneous equipment of audio I/O equipment 514 and/or data storage device 528 etc communicated.Data storage device 528 can store the code performed by processor 570 and/or 580.In alternate embodiments, times of the bus architecture What part can use one or more PtP links to realize.

Computer system described in Fig. 5 can be used for realizing the calculating system of various embodiments discussed herein The explanatory view of one embodiment of system.It should be appreciated that can be by the various assemblies of the system described in Fig. 5, group Close in on-chip system (SoC) architecture or any other appropriate configuration.For example, embodiment disclosed in the present application can To be incorporated into including mobile device (for example, smart cellular phone, tablet PC, personal digital assistant, portable game device Deng) system in.It should be appreciated that at least some embodiments, SoC architecture can be used to provide these movements Equipment.

Fig. 6 shows a kind of processor cores 600 according to one embodiment.Processor cores 600 can be used for it is any The processor of type is (for example, microprocessor, embeded processor, digital signal processor (DSP), network processing unit or use In perform code miscellaneous equipment) kernel.Although illustrate only a processor cores 600 in figure 6, a processor The processor cores 600 shown in more than one Fig. 6 can alternatively be included.For example, processor cores 600 represent reference An exemplary reality of processor cores 574a, 574b, 584a and 584b shown or described by Fig. 5 processor 570 and 580 Apply example.Processor cores 600 can be single thread kernel, or at least one embodiment, processor cores 600 can To be multithreading, each kernel can include more than one hardware thread contexts (or " logic processor ").

In addition, Fig. 6 shows the memory 602 for being couple to processor cores 600 always according to one embodiment.Memory 602 can be any one of various memories (it includes each layer of storage hierarchy), and such as this area is general It is well known to logical technical staff or obtainable.Memory 602 can include the code 604 that will be performed by processor cores 600, Wherein code 604 can be one or more instructions.Processor cores 600 can follow the programmed instruction indicated by code 604 Sequence.Each bar instruction enters front end logic 606, and is handled by one or more decoders 608.The decoder can be generated Microoperation (for example, fixed width microoperation with predetermined form), can be generated as its output, or the decoder Other instructions, microcommand or the control signal for reflecting original code instruction.In addition, front end logic 606 also includes deposit Think highly of naming logistics 610 and scheduling logic 612, wherein the generally distribution resource of scheduling logic 612, for the instruction phase to be performed Corresponding operation is ranked.

In addition, processor cores 600 can also include the execution logic with one group of execution unit 616-1 to 616-N 614.Some embodiments can include：It is exclusively used in multiple execution units of specific function or function collection.Other embodiments can With including only including an execution unit, or only include an execution unit for being able to carry out specific function.Execution logic 614 perform the operation specified by code command.

After the execution for completing the operation specified by code command, back-end logic 618 can live in retirement code 604 this A little instructions.In one embodiment, processor cores 600 allow Out-of-order execution, but need instruction of living in retirement according to priority.Live in retirement and patrol Various form knowns (for example, resequencing buffer etc.) can be used by collecting 620.This mode is used, in the execution phase of code 604 Between, depending at least on hardware register used in the output produced by decoder, register renaming logic 610 and form, with And any register (not shown) that execution logic 614 is changed, line translation is entered to processor cores 600.

Although being not shown in figure 6, processor can include other lists on the chip with processor cores 600 Member, the application reference picture 5 has shown and described at least some in these units.For example, as shown in Figure 5, processor can be with Including memory control logic and processor cores 600.Processor can include I/O control logics and/or can include with it is interior Deposit the I/O control logics that control logic is integrated.

It should be noted that using example provided herein, being described around two, three or more NEs Interaction.But, this is only intended to clear explanation and citing purpose.In some cases, the network only referring to limited quantity is passed through Unit, can more easily describe one or more of given function of flow collection.It should be appreciated that communication system 100 and its teachings can easily extend, adapt to large number of component, and more complicated/arrangement for mixing and Configuration.Therefore, the example provided should not be limited the scope of the invention, or suppress the extensive religion of communication system 100 Show, be such as potentially applied to countless other architectures.

It is also important to note that foregoing flow chart (that is, Fig. 2-4) illustrate only and can be held by communication system 100 OK, or the possible associated scenario that can perform in the communication system 100 some.When needed, it can delete or go Except some in these operations, or these operations can be carried out considerably to change or change, without departing from the present invention's Protection domain.In addition, these many operations are described as operating simultaneously or being performed in parallel with one or more of the other.But It is that the time of these operations can considerably be changed.In order to illustrate and discuss purpose, there is provided foregoing operation stream Journey.Communication system 100 provides suitable flexibility, and it is：Can on the basis of teachings of the present invention content is not departed from, Any appropriate arrangement, chronology, configuration and timing mechanism are provided.

Although describe in detail the present invention with reference to specific arrangement and configuration, these examples can be significantly changed Property configuration and arrange, without departing from protection scope of the present invention.Furthermore, it is possible to based on specific demand and realization, to some groups Part is combined, separates, eliminates or increased.In addition, though with reference to the discrete cell and operation that contribute to the communication process To show communication system 100, but these units and operation can be fitted with any of the predetermined function that can realize communication system 100 Substituted when architecture, agreement and/or processing.

Following example is relevant with the embodiment according to this specification.One or more embodiments, which can be provided, to be used for electricity The method of sub- email message application strategy.This method can include：Electronics is received by the bound policy module in protected network The message meta-data of email message；Based on the message meta-data, it is determined that receiving the electronics postal in the protected network Whether part message is forbidden by least one metadata strategy in one or more metadata strategies；If described protected The email message is received in network by least one described metadata strategy to be forbidden, then prevents to disappear the Email Breath is forwarded to the protected network.

In an example of one embodiment, the prevention includes：Email threat sensor into cloud network Answer code is sent, wherein the email threat sensor receives the electronics postal from the transmission client in another network Part message.

One example of one embodiment also includes：If receiving the email message in the protected network Do not forbidden by one or more of metadata strategies, then scanning result data of the request for the email message.

One example of one embodiment also includes：Swept described in the bound policy module reception in the protected network Retouch result data；Based on the scanning result data, it is determined that the email message is received in the protected network is No at least one scanning strategy by one or more scanning strategies is forbidden；If received in the protected network described Email message is forbidden by least one described scanning strategy, then prevents the email message being forwarded to described protected Protecting wire net network.

One example of one embodiment also includes：If receiving the email message in the protected network Do not forbidden by one or more of scanning strategies, then ask the email message.

One example of one embodiment also includes：When asking the email message, by the protected network In bound policy module receive the email message；The email message is forwarded in the protected network Mail server, wherein the mail server sends the email message to the expection of the email message Recipient.

One example of one embodiment also includes：When asking the email message, by the protected network In bound policy module receive the email message；The content forbidden for one or more local scanning strategies, The email message received is scanned；It is right in response to finding at least some contents forbidden during the scanning The email message is isolated.

One example of one embodiment also includes：When asking the email message, by the protected network In bound policy module receive the email message；The content forbidden for one or more local scanning strategies, The email message received is scanned；In response to finding at least some contents forbidden during the scanning, resistance The email message is only sent to the expection recipient of the email message.

One example of one embodiment also includes：In response to not having to find in any forbid during the scanning Hold, the email message is transmitted to the mail server in the protected network, wherein the mail server will The email message sends the expection recipient of the email message to.

One or more embodiments provide at least one be stored with for the instruction to email message application strategy Machinable medium is planted, when the instructions are executed by a processor so that operated below the computing device：By being protected Bound policy module in protecting wire net network receives the message meta-data of email message；Based on the message meta-data, it is determined that The email message is received in the protected network whether by least one member in one or more metadata strategies Data policy is forbidden；If receiving the email message in the protected network by least one described metadata plan Slightly forbid, then prevent the email message being forwarded to the protected network.One example of one embodiment is also wrapped Include when by the computing device so that the instruction operated below the computing device：Email into cloud network Sensor is threatened to send answer code, to prevent the email message being forwarded to the protected network, wherein the electricity Sub- mail threatens sensor to receive the email message from the transmission client in another network.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：If receiving the email message in the protected network not by one or more of metadata Strategy is forbidden, then scanning result data of the request for the email message.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：The scanning result data are received by the bound policy module in the protected network；Based on the scanning Result data, it is determined that whether receiving the email message in the protected network by one or more scanning strategies At least one scanning strategy forbid；If receiving the email message in the protected network by described at least one Individual scanning strategy is forbidden, then prevents the email message being forwarded to the protected network.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：If receiving the email message in the protected network not by one or more of scanning plans Slightly forbid, then ask the email message.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：When asking the email message, receive described by the bound policy module in the protected network Email message；The email message is forwarded to the mail server in the protected network, wherein the postal Part server sends the email message to the expection recipient of the email message.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：When asking the email message, receive described by the bound policy module in the protected network Email message；For the content forbidden by one or more local scanning strategies, to the email message received It is scanned；In response to when scanning the email message, at least some contents forbidden being found, to the Email Message is isolated.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：When asking the email message, receive described by the bound policy module in the protected network Email message；For the content forbidden by one or more local scanning strategies, to the email message received It is scanned；In response to finding at least some contents forbidden during the scanning, prevention passes the email message Give the expection recipient of the email message.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：In response to not having to find any content forbidden during the scanning, the email message is forwarded To the mail server in the protected network, wherein the mail server is configured to：The email message is passed Give the expection recipient of the email message.

One or more embodiments include a kind of device for email message application strategy, and the device includes： Processor in protected network；The bound policy module performed on the processor, the bound policy module is configured to： Receive the message meta-data of email message；Based on the message meta-data, it is determined that receiving institute in the protected network State whether email message is forbidden by least one metadata strategy in one or more metadata strategies；If described The email message is received in protected network by least one described metadata strategy to be forbidden, then is prevented the electronics Email message is forwarded to the protected network.

One example of one embodiment also includes：The bound policy module is configured to：Electronics postal into cloud network Part threatens sensor to send answer code, to prevent the email message being forwarded to the protected network, wherein described Email threat sensor receives the email message from the transmission client in another network.

One example of one embodiment also includes：The bound policy module is configured to：If in the protected net Receive the email message in network by one or more of metadata strategies not forbidden, then request is directed to the electronics postal The scanning result data of part message.

One example of one embodiment also includes：The bound policy module is configured to：Receive the scanning result number According to；Based on the scanning result data, it is determined that whether receiving the email message in the protected network by one Or at least one scanning strategy in multiple scanning strategies is forbidden；If receiving the Email in the protected network Message is forbidden by least one described scanning strategy, then prevents the email message being forwarded to the protected network.

One example of one embodiment also includes：The bound policy module is configured to：If in the protected net The email message is received in network by one or more of scanning strategies not forbidden, then asks the Email to disappear Breath.

One example of one embodiment also includes：The bound policy module is configured to：When the request Email During message, the email message is received；The email message is forwarded to the mail clothes in the protected network Business device, wherein the mail server sends the email message to the expection recipient of the email message.

One example of one embodiment also includes：The bound policy module is configured to：When the request Email During message, the email message is received；For the content forbidden by local scanning strategy, to the Email received Message is scanned；In response to finding at least some contents forbidden during the scanning, the email message is entered Row isolation.

One example of one embodiment also includes：The bound policy module is configured to：When the request Email During message, the email message is received；For the content forbidden by local scanning strategy, to the Email received Message is scanned；In response to finding at least some contents forbidden during the scanning, prevention disappears the Email Breath sends the expection recipient of the email message to.

One example of one embodiment also includes：The bound policy module is configured to：In response in the sweep time Between do not have to find any content forbidden, the email message is transmitted to the mail service in the protected network Device, wherein the mail server is configured to：The expection for sending the email message to the email message connects Debit.

One or more embodiments provide at least one be stored with for the instruction to email message application strategy Machinable medium is planted, when the instructions are executed by a processor so that operated below the computing device：Receive tool Have pre- in the email message of recipient's e-mail address, recipient's e-mail address mark protected network Phase recipient；Inbound mail policy module into the protected network sends the message element number of the email message According to；If receiving the email message in the protected network by least one in one or more metadata strategies Individual metadata strategy is forbidden, then prevents the email message being forwarded to the protected network.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：Threatened for one or more, the email message is scanned；If in the protected network The middle reception email message is not forbidden by one or more of metadata strategies, then into the protected network Inbound mail policy module sends scanning result data.

One example of one embodiment also includes when by the computing device so that below the computing device The instruction of operation：If receiving the email message in the protected network not by one or more of scanning plans Slightly forbid, then the inbound mail policy module into the protected network sends the email message.

A kind of specific exemplary realization can include：Message for receiving email message in protected network The module of metadata；For based on the message meta-data, disappearing it is determined that receiving the Email in the protected network Breath whether the module forbidden by least one metadata strategy in one or more metadata strategies；If for it is described by The email message is received in protection network by least one described metadata strategy to be forbidden, then is prevented the electronics postal Part message is forwarded to the module of the protected network.In addition, the realization can also include：If in the protected net Receive the email message in network by one or more of metadata strategies not forbidden, then request is directed to the electronics postal The module of the scanning result data of part message.In addition, the realization can also include：For receiving institute in the protected network State the module of scanning result data；For based on the scanning result data, it is determined that being received in the protected network described Email message whether the module forbidden by least one scanning strategy in one or more scanning strategies；If for The email message is received in the protected network by least one described scanning strategy to be forbidden, then is prevented the electricity Sub- email message is forwarded to the module of the protected network.In addition, the realization can also include：If for being protected described The email message is received in protecting wire net network by one or more of scanning strategies not forbidden, then asks the Email The module of message.In addition, the realization can also include：For when the email message is requested, described protected The module of the email message is received in network；In for being forbidden by one or more local scanning strategies Hold, the module being scanned to the email message received；For at least some in response to being found during the scanning The content forbidden, the module that the email message is isolated or prevented.

Another exemplary realization can include：For receiving the email message with recipient's e-mail address Module, wherein recipient's e-mail address mark protected network in expection recipient；For being protected to described Inbound mail policy module in protecting wire net network sends the module of the message meta-data of the email message；If for institute State and the email message is received in protected network by least one metadata plan in one or more metadata strategies Slightly forbid, then prevent to be forwarded to the email message into the module of the protected network.In addition, the realization can also be wrapped Include：For being threatened for one or more, the module being scanned to the email message；If for being protected described Receive the email message in protecting wire net network by one or more of metadata strategies not forbidden, then to the protected net Inbound mail policy module in network sends the module of scanning result data.In addition, the realization can also include：If for The email message is received in the protected network by one or more of scanning strategies not forbidden, then to it is described by The inbound mail policy module in network is protected to send the module of the email message.

Claims (23)

1. a kind of method for email message application strategy, including：

The message meta-data of email message is received in protected network, without receiving the email message；

Based on the message meta-data received, it is determined that whether receiving the email message in the protected network by one Individual or multiple metadata strategies are forbidden；

Do not forbidden if it is determined that receiving the email message by one or more of metadata strategies, then send and be directed to institute State the request of the scanning result data of email message；

The scanning result data are received, without receiving the email message；

Based on the scanning result data received, it is determined that received in the protected network email message whether by One or more scanning strategies are forbidden；And

Prohibited if it is determined that receiving the email message in the protected network by one or more of scanning strategies Only, then response is sent to prevent the email message being forwarded to the protected network.

2. according to the method described in claim 1, wherein, the message meta-data include it is associated with the email message Link information and protocol information.

3. according to the method described in claim 1, wherein, one or more of metadata strategies and one or more of sweep Retouch strategy and be applied to the message meta-data and the scanning result data in real time respectively.

4. according to the method described in claim 1, wherein, including one or more of metadata strategies and one or many The user configuration information of individual scanning strategy is stored at least one memory cell in the protected network.

5. according to the method described in claim 1, wherein, cloud scan module outside the protected network is used to be directed to Threaten to scan the email message to generate the scanning result data.

6. according to the method described in claim 1, in addition to：

If it is determined that receiving the email message in the protected network by one or more of metadata strategies Forbid, then send response to prevent the email message being forwarded to the protected network.

7. according to the method described in claim 1, in addition to：

If it is determined that receiving the email message in the protected network not by one or more of metadata plans Slightly forbid and do not swept if it is determined that receiving the email message in the protected network by one or more of Retouch strategy to forbid, then send the request for the email message.

8. method according to claim 7, in addition to：

After the request for the email message is sent, the electronics is received in the protected network Email message；

The email message received is scanned for the content forbidden by one or more local scanning strategies；And

To finding that at least some contents forbidden are responded during scanning, the isolation email message or prevention are performed At least one in the email message.

9. method according to claim 7, in addition to：

After the request for the email message is sent, the electronics is received in the protected network Email message；And

The email message is forwarded to the mail server in the protected network, wherein, the mail server For the purpose network address being sent to the email message in the protected network.

10. method according to claim 9, in addition to：

The email message received for the content scanning forbidden by local scanning strategy, wherein, by the Email It is to not finding the response that any content forbidden is made during scanning that message, which is forwarded to the mail server,.

11. according to the method described in claim 1, wherein, the email message is pre- into the protected network The route of phase recipient.

12. a kind of device in protected network, including：

At least one processor；And

Bound policy module, it includes instruction, and the instruction is used for when by least one described computing device：

The message meta-data of email message is received, without receiving the email message；

Based on the message meta-data received, it is determined that whether receiving the email message in the protected network by one Individual or multiple metadata strategies are forbidden；

Do not forbidden if it is determined that receiving the email message by one or more of metadata strategies, then send and be directed to institute State the request of the scanning result data of email message；

The scanning result data are received, without receiving the email message；

Based on the scanning result data received, it is determined that received in the protected network email message whether by One or more scanning strategies are forbidden；And

Prohibited if it is determined that receiving the email message in the protected network by one or more of scanning strategies Only, then response is sent to prevent the email message being forwarded to the protected network.

13. device according to claim 12, wherein, the message meta-data includes related to the email message The link information and protocol information of connection.

14. device according to claim 12, wherein, one or more of metadata strategies and one or more of Scanning strategy is applied to the message meta-data and the scanning result data in real time respectively.

15. device according to claim 12, wherein, including one or more of metadata strategies and it is one or The user configuration information of multiple scanning strategies is stored at least one memory cell in the protected network.

16. device according to claim 12, wherein, the instruction of the bound policy module is by described at least one It is used for during individual computing device：

If it is determined that receiving the email message in the protected network by one or more of metadata strategies Forbid, then send response to prevent the email message being forwarded to the protected network.

17. device according to claim 12, wherein, the instruction of the bound policy module is by described at least one It is used for during individual computing device：

If it is determined that receiving the email message in the protected network not by one or more of metadata plans Slightly forbid and do not swept if it is determined that receiving the email message in the protected network by one or more of Retouch strategy to forbid, then send the request for the email message.

18. device according to claim 17, wherein, the instruction of the bound policy module is by described at least one It is used for during individual computing device：

After the request for the email message is sent, the electronics is received in the protected network Email message；

The email message received is scanned for the content forbidden by one or more local scanning strategies；And

To finding that at least some contents forbidden are responded during scanning, the isolation email message or prevention are performed At least one in the email message.

19. device according to claim 17, wherein, the instruction of the bound policy module is by described at least one It is used for during individual computing device：

After the request for the email message is sent, the electronics is received in the protected network Email message；And

The email message is forwarded to the mail server in the protected network, wherein, the mail server For the purpose network address being sent to the email message in the protected network.

20. device according to claim 19, wherein, the instruction of the bound policy module is by described at least one It is used for during individual computing device：

The email message received for the content scanning forbidden by local scanning strategy, wherein, by the Email It is to not finding the response that any content forbidden is made during scanning that message, which is forwarded to the mail server,.

21. at least one non-transient machinable medium, it includes instruction, and the instruction is held by least one processor At least one described computing device is caused to include following operation during row：

The message meta-data of email message is received in protected network, without receiving the email message；

Based on the message meta-data received, it is determined that whether receiving the email message in the protected network by one Individual or multiple metadata strategies are forbidden；

Do not forbidden if it is determined that receiving the email message by one or more of metadata strategies, then send and be directed to institute State the request of the scanning result data of email message；

The scanning result data are received, without receiving the email message；

Based on the scanning result data received, it is determined that received in the protected network email message whether by One or more scanning strategies are forbidden；And

Prohibited if it is determined that receiving the email message in the protected network by one or more of scanning strategies Only, then response is sent to prevent the email message being forwarded to the protected network.

22. at least one non-transient machinable medium according to claim 21, wherein, the message meta-data Including the link information and protocol information associated with the email message.

23. at least one non-transient machinable medium according to claim 21, wherein, the instruction is by institute At least one described computing device is caused to include following operation when stating at least one computing device：

If it is determined that receiving the email message in the protected network by least one scanning strategy or at least One metadata strategy is forbidden, then sends response to prevent the email message being forwarded to the protected network.